Full Disclosure mailing list archives
Re: Removing ShKit Root Kit
From: Brian Eckman <eckman () umn edu>
Date: Mon, 22 Dec 2003 16:00:50 -0600
Larry W. Cashdollar wrote:
On Mon, 22 Dec 2003, Brian Eckman wrote:Schmehl, Paul L wrote:Hmmm. Well, if the execute bit isn't set, then I'd assume it can be considered relatively safe. If the attacker can later find a way to chmod it and then execute it with the privliges needed to make it harmful, then I imagine that they could find other ways of compromising your machine as well.The attacker could have also added a new user to your oracle database, so I see where Paul is coming from. Restoring actual data from a known good copy is a better idea. I suspect that most people keep a backup copy (raw dd) of a compromised system for the feds and a copy for themselves to explore. Other than that nothing can be trusted from the compromised system.
> -- Larry C$It always will depend on the situation. Is throwing away a few million transactions acceptible, when it might take a couple of hours or less to compare the Oracle user list against a known good list? Should you scrutinize each of those millions of transactions that occured between compromise and detection to make sure each and every one of them are legit? If doing so costs more than it is worth (define as you wish), it won't happen, and shouldn't.
Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota "There are 10 types of people in this world. Those who understand binary and those who don't." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Removing ShKit Root Kit, (continued)
- Re: Removing ShKit Root Kit Wesley D Craig (Dec 22)
- re: Removing ShKit Root Kit nicholas (Dec 22)
- RE: Removing ShKit Root Kit Schmehl, Paul L (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Gino Thomas (Dec 22)
- Message not available
- Re: Removing ShKit Root Kit Gino Thomas (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Nathan Bates (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Nathan Bates (Dec 23)
- Re: Removing ShKit Root Kit Larry W. Cashdollar (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Gregory A. Gilliss (Dec 22)
- Re: Removing ShKit Root Kit Ron DuFresne (Dec 22)
- Re: Removing ShKit Root Kit Jason (Dec 22)
- Re: Removing ShKit Root Kit Cael Abal (Dec 23)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 23)